-----Original Message-----
From: Zeke [mailto:ezekt@...]
Sent: Friday, February 27, 2009 4:22 PM
To: mod-security-users@...
Subject: [mod-security-users] Log Post request
How can I log the whole body of a Post using mod_security2?
[Ryan Barnett] Make sure that you have the SecRequestBodyAccess directive set to On and then you need to have "C" specified in the SecAuditLogParts directive.
If you use the Core Rule Set, these settings are already configured in the modsecurity_crs_10_config.conf file.

Thanks Ryan, that may do what I need. Trying to hide it from
Mcaffee-Scanalert.
on 2/27/09 8:35 AM, Ryan Barnett at Ryan.Barnett@... wrote:
> -----Original Message-----
> From: Mike Yrabedra [mailto:lists@...]
> Sent: Friday, February 27, 2009 6:13 AM
> To: modsec-users
> Subject: [mod-security-users] Disable php_flag version?
>
>
>
> Is there any way I can change ( or disable ) what PHP version is returned
> when someone does a scan of my server?
>
> [Ryan Barnett] The problem is that are so many ways that application version
> information data may leak out. Check out some of the comments here -
> http://www.php.net/manual/en/security.hiding.php. You might want something
> like "expose_php=Off" in your php.ini file. ModSecurity can help to hid the
> php module info in the Server response header if you set the
> SecServerSignature directive.
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
--
Mike B^)>

From: pinto.elia@... [mailto:pinto.elia@...] On Behalf Of yersinia
Sent: Friday, February 27, 2009 8:54 AM
To: Ryan Barnett
Cc: Mike Yrabedra; modsec-users
Subject: Re: [mod-security-users] Disable php_flag version?
On Fri, Feb 27, 2009 at 2:35 PM, Ryan Barnett <Ryan.Barnett@...<mailto:Ryan.Barnett@...>> wrote:
-----Original Message-----
From: Mike Yrabedra [mailto:lists@...<mailto:lists@...>]
Sent: Friday, February 27, 2009 6:13 AM
To: modsec-users
Subject: [mod-security-users] Disable php_flag version?
Is there any way I can change ( or disable ) what PHP version is returned
when someone does a scan of my server?
[Ryan Barnett] The problem is that are so many ways that application version information data may leak out. Check out some of the comments here - http://www.php.net/manual/en/security.hiding.php. You might want something like "expose_php=Off" in your php.ini file. ModSecurity can help to hid the php module info in the Server response header if you set the SecServerSignature directive.
But not in reverse proxy mode with mod_proxy. You have to use mod_header.
[Ryan Barnett] True, you would have to use something like this -
Header always set Server "Whatever-Name-You-Want"

On Fri, Feb 27, 2009 at 2:35 PM, Ryan Barnett <Ryan.Barnett@...>wrote:
> -----Original Message-----
> From: Mike Yrabedra [mailto:lists@...]
> Sent: Friday, February 27, 2009 6:13 AM
> To: modsec-users
> Subject: [mod-security-users] Disable php_flag version?
>
>
>
> Is there any way I can change ( or disable ) what PHP version is returned
> when someone does a scan of my server?
>
> [Ryan Barnett] The problem is that are so many ways that application
> version information data may leak out. Check out some of the comments here
> - http://www.php.net/manual/en/security.hiding.php. You might want
> something like "expose_php=Off" in your php.ini file. ModSecurity can help
> to hid the php module info in the Server response header if you set the
> SecServerSignature directive.
>
>
But not in reverse proxy mode with mod_proxy. You have to use mod_header.
Regards
Elia

-----Original Message-----
From: Mike Yrabedra [mailto:lists@...]
Sent: Friday, February 27, 2009 6:13 AM
To: modsec-users
Subject: [mod-security-users] Disable php_flag version?
Is there any way I can change ( or disable ) what PHP version is returned
when someone does a scan of my server?
[Ryan Barnett] The problem is that are so many ways that application version information data may leak out. Check out some of the comments here - http://www.php.net/manual/en/security.hiding.php. You might want something like "expose_php=Off" in your php.ini file. ModSecurity can help to hid the php module info in the Server response header if you set the SecServerSignature directive.

You would need to insert your tool between ModSecurity (Apache) and mlogc:
1. ModSecurity would talk to your program instead of mlogc.
2. Your program would start mlogc on startup and open a pipe to it.
3. Your program would receive notifications and sanitise audit log files.
4. Your program would sent notifications to mlogc.
On Thu, Feb 26, 2009 at 10:00 AM, Heiko <durchsage@...> wrote:
> supposed i had such a parser script. how and where could i "inject" it
> into the modsecurity-autitlog-process? could i anyhow anynonymize the
> auditlog before mlogc is notified about the new file?
>
> heiko
>
> 2009/2/26 Ivan Ristic <ivan.ristic@...>:
>> ModSecurity uses piped logging only to notify mlogc that a new file is
>> available; it otherwise writes data directly to the file.
>>
>> The easiest solution for you may be to simply patch ModSecurity itself
>> to not record IP addresses. Any other approach may require you to have
>> a parser for the audit log format, which is non-trivial.
>>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
--
Ivan Ristic

From: Heiko [mailto:durchsage@...]
Sent: Thursday, February 26, 2009 4:36 AM
To: mod-security-users@...
Subject: [mod-security-users] Anonymize Logs
hello all,
i'm currently testing modsecurity with concurrent logging through mlogc for using modsecurity-console. works great so far!
though a nice feature, we are not allowed to log the complete ip-address of the user because of privacy reasons (Data Protection Act).
[Ryan Barnett] Is it the UK DPA (http://www.out-law.com/page-8060) you are referring to or another one? While I understand that there may be some privacy/personal data issues to content with, there *has* to be provision for web site operators to be able to use IP addresses within logs in order to conduct Incident Response and implement some reactive defenses against said IP address when under attack... If you don't log any client IP address within logs, how do you react when under say a Brute Force authentication attack?

Hi !
Just for the interested, I released the latest stable version of the
AuditViewer
application. As I wrote before it has some new features such as the
Tree-View for
browsing Alerts in a hierarchical manner, as well as customized table-
layout, i.e.
you can specify which columns/ModSecurity variables to show.
More details can be found at my current blog-post on this release at
https://secure.jwall.org/blog/2009/02/26/1235639491367.html
Feedback welcome.
Best regards,
Chris

supposed i had such a parser script. how and where could i "inject" it
into the modsecurity-autitlog-process? could i anyhow anynonymize the
auditlog before mlogc is notified about the new file?
heiko
2009/2/26 Ivan Ristic <ivan.ristic@...>:
> ModSecurity uses piped logging only to notify mlogc that a new file is
> available; it otherwise writes data directly to the file.
>
> The easiest solution for you may be to simply patch ModSecurity itself
> to not record IP addresses. Any other approach may require you to have
> a parser for the audit log format, which is non-trivial.
>

Hi there,
A variant of the sanitise group of actions would be a nice feature.
There are the following actions in this group:
- sanitiseArg
- sanitisedMatched
- sanitiseRequestHeader
- sanitiseResponseHeader
An action to sanitise other request parameters would be helpful.
regs,
Christian
--
Christian Folini, IT 222
Webserver Security Engineer
-----Ursprüngliche Nachricht-----
Von: Ivan Ristic [mailto:ivan.ristic@...]
Gesendet: Donnerstag, 26. Februar 2009 10:47
An: Heiko
Cc: mod-security-users@...
Betreff: Re: [mod-security-users] Anonymize Logs
ModSecurity uses piped logging only to notify mlogc that a new file is available; it otherwise writes data directly to the file.
The easiest solution for you may be to simply patch ModSecurity itself to not record IP addresses. Any other approach may require you to have a parser for the audit log format, which is non-trivial.
On Thu, Feb 26, 2009 at 9:35 AM, Heiko <durchsage@...> wrote:
> hello all,
>
> i'm currently testing modsecurity with concurrent logging through
> mlogc for using modsecurity-console. works great so far!
> though a nice feature, we are not allowed to log the complete
> ip-address of the user because of privacy reasons (Data Protection
> Act). for the standard apache access.log we use piped logging for
> real-time-anonymization with a perl script. is there a configuration
> option of modsecurity or mlogc to anonymize the ip-address a priori?
> if not, is multiple piping possible? the default pipe looks like this:
>
> SecAuditLog "|/usr/local/bin/mlogc /etc/apache2/mlogc.conf"
>
> what i would like to do now is to pipe the logs first through my
> anonymize-script and then through the mlogc-script.
> is this possible somehow?
>
> regards, heiko
>
>
> ----------------------------------------------------------------------
> -------- Open Source Business Conference (OSBC), March 24-25, 2009,
> San Francisco, CA -OSBC tackles the biggest issue in open source: Open
> Sourcing the Enterprise -Strategies to boost innovation and cut costs
> with open source participation -Receive a $600 discount off the
> registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
>
--
Ivan Ristic
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________
mod-security-users mailing list
mod-security-users@...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html

ModSecurity uses piped logging only to notify mlogc that a new file is
available; it otherwise writes data directly to the file.
The easiest solution for you may be to simply patch ModSecurity itself
to not record IP addresses. Any other approach may require you to have
a parser for the audit log format, which is non-trivial.
On Thu, Feb 26, 2009 at 9:35 AM, Heiko <durchsage@...> wrote:
> hello all,
>
> i'm currently testing modsecurity with concurrent logging through mlogc for
> using modsecurity-console. works great so far!
> though a nice feature, we are not allowed to log the complete ip-address of
> the user because of privacy reasons (Data Protection Act). for the standard
> apache access.log we use piped logging for real-time-anonymization with a
> perl script. is there a configuration option of modsecurity or mlogc to
> anonymize the ip-address a priori? if not, is multiple piping possible? the
> default pipe looks like this:
>
> SecAuditLog "|/usr/local/bin/mlogc /etc/apache2/mlogc.conf"
>
> what i would like to do now is to pipe the logs first through my
> anonymize-script and then through the mlogc-script.
> is this possible somehow?
>
> regards, heiko
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
>
--
Ivan Ristic

hello all,
i'm currently testing modsecurity with concurrent logging through mlogc for
using modsecurity-console. works great so far!
though a nice feature, we are not allowed to log the complete ip-address of
the user because of privacy reasons (Data Protection Act). for the standard
apache access.log we use piped logging for real-time-anonymization with a
perl script. is there a configuration option of modsecurity or mlogc to
anonymize the ip-address a priori? if not, is multiple piping possible? the
default pipe looks like this:
SecAuditLog "|/usr/local/bin/mlogc /etc/apache2/mlogc.conf"
what i would like to do now is to pipe the logs first through my
anonymize-script and then through the mlogc-script.
is this possible somehow?
regards, heiko

Attempting to install mod_security 2.5.7 on CentOS 5.2 x86_64.
Not available via yum from main CentOS repo or CentOS extras.
No binary (rpm) available at http://www.modsecurity.org<http://www.modsecurity.org&gt; for CentOS.
Therefore installing from source using the distribution file
modsecurity-apache_2.5.7.tar.gz
I made it past the config stage by installing all required packages.
Now make is failing because the loader can't find the library 'z'.
Can anyone tell me what the library 'z' is?
/usr/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz
/usr/bin/ld: skipping incompatible /usr/lib/libz.a when searching for -lz
/usr/bin/ld: cannot find -lz
collect2: ld returned 1 exit status
apxs:Error: Command failed with rc=65536
.
make: *** [mod_security2.la] Error 1
Thanks!

hi,
is it possible to bind the modsecurity console to localhost:8888 only?
per default, the console is listening on 0.0.0.0:8888.
i already googled for a solution an only found the hint to add the
host-property to console.conf:
<Source console com.thinkingstone.console.ConsoleComponent>
[..]
Property host "127.0.0.1"
[..]
</Source>
anyway, that didn't change anything. the console is still listening on all
interfaces.
is there a solution for this problem?
regards, lowshoe

Hi Chris,
I've just tried AuditViewer (Audit Events & Tree View tabs) and i liked it very much. I've two quick observations; the application accepts regular expressions not just wildcards (i couldn't figure that out immediately, an example video would be great). The fact that it also supports apache access logs is a plus. And finally in the Tree View, if the alert produced two or more tags (messages), you may show them as siblings as opposed to hierarchical view.
The first time I had a look at the screen-shot in the blog post, it seemed like the Firebug active web page with xhr requests flowing. ;)
cheers,
bedirhan
http://www.owasp.org/index.php/Turkey
> From: chris@...
> To: Brian.Rectanus@...
> Date: Mon, 23 Feb 2009 11:53:46 +0100
> CC: mod-security-users@...
> Subject: Re: [mod-security-users] Browsing ModSecurity Alerts
>
>
> Am 23.02.2009 um 11:31 schrieb Brian Rectanus:
>
> > Nice! Allow filtering like Cerebus(1) could do for snort alerts and
> > it
> > could be a killer app ;) The idea here is that you start with a
> > slew of
> > alerts and keep applying filters to get to only what you need, but all
> > the filtering/collapsing needs to be dynamic and serially applied.
> > Make
> > sure you can do it with key shortcuts as well. I've always wanted
> > that
> > sort of functionality in an alert viewer for ModSecurity, but never
> > had
> > the time.
> >
>
> Yeah, as pointed out in the blog entry, the plans are similar in the
> sense
> that you can write filter-chains which create the desired view. This is
> how it works, currently.
> I do not have any UI-parts for specifying the filters interactively,
> yet.
> Currently there is a fixed set of filters being created at startup
> (hardcoded),
> but these will become more flexible in the future.
>
> My perspective is to make these filter-chains persistent (XML of
> course :-))
> in order to make the filtering repeatable and automatable (e.g. for
> automatic
> report generation).
>
>
> > (1) http://dragos.com/cerebus/tutorial.html
>
> Thanks, I will have a look at this.
>
> Regards,
> Chris
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
_________________________________________________________________
Windows Live™: Discover 10 secrets about the new Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!7540.entry?ocid=TXT_TAGLM_WL_t2_ugc_post_022009

Am 23.02.2009 um 11:31 schrieb Brian Rectanus:
> Nice! Allow filtering like Cerebus(1) could do for snort alerts and
> it
> could be a killer app ;) The idea here is that you start with a
> slew of
> alerts and keep applying filters to get to only what you need, but all
> the filtering/collapsing needs to be dynamic and serially applied.
> Make
> sure you can do it with key shortcuts as well. I've always wanted
> that
> sort of functionality in an alert viewer for ModSecurity, but never
> had
> the time.
>
Yeah, as pointed out in the blog entry, the plans are similar in the
sense
that you can write filter-chains which create the desired view. This is
how it works, currently.
I do not have any UI-parts for specifying the filters interactively,
yet.
Currently there is a fixed set of filters being created at startup
(hardcoded),
but these will become more flexible in the future.
My perspective is to make these filter-chains persistent (XML of
course :-))
in order to make the filtering repeatable and automatable (e.g. for
automatic
report generation).
> (1) http://dragos.com/cerebus/tutorial.html
Thanks, I will have a look at this.
Regards,
Chris

Nice! Allow filtering like Cerebus(1) could do for snort alerts and it
could be a killer app ;) The idea here is that you start with a slew of
alerts and keep applying filters to get to only what you need, but all
the filtering/collapsing needs to be dynamic and serially applied. Make
sure you can do it with key shortcuts as well. I've always wanted that
sort of functionality in an alert viewer for ModSecurity, but never had
the time.
(1) http://dragos.com/cerebus/tutorial.html
-B
Christian Bockermann wrote:
> Hi there,
>
> just for information, I did start to extend the AuditViewer for
> getting a better overview on
> the alerts, raised by the core-rules rule set. Of course this suitable
> for other rules as well.
> Some more details and a preview of the up-coming release can be found
> here:
>
> https://secure.jwall.org/blog/2009/02/22/1235341258416.html
>
>
> Best regards,
>
> Chris
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
--
Brian Rectanus
Breach Security

Hi there,
just for information, I did start to extend the AuditViewer for
getting a better overview on
the alerts, raised by the core-rules rule set. Of course this suitable
for other rules as well.
Some more details and a preview of the up-coming release can be found
here:
https://secure.jwall.org/blog/2009/02/22/1235341258416.html
Best regards,
Chris